'Protect' open Samba share

I have an open Samba share on a router (Bt Home Hub 3/4) and intend to use it as a backup target. It's created automatically when a USB stick is inserted into the router. Unfortunately this share is not supported officially and afaik is uncontrollable.

I'm thinking of accessing the share as an rsync destination from Debian running in a VM hosted by Windows 7. I might, in some cases, access the share directly.

The problem is that the share is open, so any share-seeking malware will have an easy time finding and infecting the backup. I want to protect the share but of course i can't do that the 'proper' way - at the Samba server. So i need to protect it 'at the client' and am looking for ideas, both Windows -> Samba server and Linux -> Samba server.

If the share is marked as browsable at the server then I'm afraid there's no way to block people from browsing it. As a workaround far from perfect you may wish to block the access of that samba port on the router side, except for the time window of the backup.

If you want to block from the client side then you could do the same; i.e. set Windows firewall to block access of samba port of the router. I don't think you can set an exception time window in Windows, though.

Alternatively, consider using a custom firmware like openwrt (though I think it's not an option for BT routers)

Alternatively, consider using a custom firmware like openwrt (though I think it's not an option for BT routers)

Yes i can assure you, being locked out of my own router (i'm not used to getting locked out of things as i don't use Windows or a Mac ;)) sticks in my craw and i must sort that out some time.
Maybe i'll knock up proper Samba in the shape of a home-made NAS with a RaspberryPi.

But your 'timely firewalling' idea has at least given me something to think about.

If the samba share is on the router, there is no way a client can protect that share.
I do not have means to test if this model of router allows it, but it should: On your router/samba server restrict access to ports 137-139 and 445 to only be allowed from certain IP addresses.
if it would allow direct iptables rules, it should look like this, presuming 192.168.1.0 is your own network:
-A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 137 -j ACCEPT
-A INPUT -m state --state NEW -p tcp --dport 137 -j DROP

I do not have means to test if this model of router allows it, but it should: On your router/samba server restrict access to ports 137-139 and 445 to only be allowed from certain IP addresses.

That's an interesting idea to add to the mix but of course it won't help if say cryptolocker gets onto the box i'm trying to back up. Cryptolocker can sail through to do its nasties on an allowed ip address

In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …